Sponsored Link

Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary informa-tion about this process, and optionally kill the process if it was spawned by an unauthorized user.A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable.

Individual executables can be whitelisted. Ninja uses a fine grained whitelist that lets you whitelist executables on a group and/or user basis. This can be used to allow specific groups or individual users access to setuid/set-gid root programs, such as su and passwd.

Install Ninja in Ubuntu

sudo aptitude install ninja

Configuring ninja

1. Add a “magic” group (only members of the magic group are allowed root access). In this example we will call the group “ninja” , you may change the name if you wish. Take note of the group id (gid or number).

1. bodhi was allowed to run sudo.
2. ninja detected nobody was not authorized to run sudo.
3. Last, ninja is configured with the “no kill” option, so did not take action.
Reboot

Before we complete our configuration of ninja, we need to test it. If ninja is misconfigured you may loose all root access !!!

Clear the log

sudo bash -c “> /var/log/ninja.log”

Reboot, test root (sudo) access and run your system for a few hours or days (your choice). Watch the ninja log. If there are events you will need to determine if you need to configure ninja further, either via adding users to the ninja group or white listing processes.
Add a user to the magic group

Use the graphical tool or command line to add users to the ninja group

sudo usermod -a -G ninja user_to_add

Whitelisting a process

Edit /etc/ninja/whitelist

If you examine the file you will find there are already a few processes listed. If you need to add a process the syntax is

/path_to/program:group:user

where group/user is a group/user allowed to run the process

Enable ninja

Assuming you have configured ninja and you are not getting alerts in the ninja log, it is time to activate ninja.

Mmh I never tried Ninja so I tried to install it but it crashed in the middle of installing, sent debug report to developers, anyway you’ve tested this on lucid lynx? or does it not run for x64 systems?